B-22
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
AppendixB Authentication in ACS 5.4
EAP-FAST
ACS-Supported Features for PACs, pageB-25
Master Key Generation and PAC TTLs, pageB-27
EAP-FAST for Allow TLS Renegotiation, page B-27
About Master-Keys
EAP-FAST master-keys are strong secrets that ACS automatically generates and of which only ACS is
aware. Master-keys are never sent to an end-user client. EAP-FAST requires master-keys for two
purposes:
PAC ge nera tio n—ACS generates PACs by using the active master-key. For details about PACs,
see About PACs, pageB-22.
EAP-FAST phase one—ACS determines whether the PAC that the end-user client presents was
generated by one of the master-keys it is aware of.
To increase the security of EAP-FAST, ACS changes the master-key that it uses to generate PACs. ACS
uses Master Key Generation Period values that you define to determine when it generates a new
master-key and the age of all master-keys.
An active master-key is the master-key used by ACS to generate PACs. The Master Key Generation
Period setting determines the duration that a master-key remains active. At any time, only one
master-key is active. For more information about how TTL values determine whethe r PAC refreshing or
provisioning is required, see Master Key Generation and PAC TTLs, page B-27.
About PACs
PACs are strong shared secrets that enable ACS and an EAP-FAST end-user client to authenticate each
other and establish a TLS tunnel for use in EAP-FAST phase two. ACS generates PACs by using the
active master-key and a username.
PAC comprises:
PAC-Ke y—Shared secret bound to a client (and client device) and server identity.
PAC Opaque—Opaque field that the client caches and passes to the server. The server recovers the
PAC-Key and the client identity to mutually authenticate with the client.
PAC-I nfo—At a minimum, includes the Authority ID to enable the client to cache different PACs.
Optionally, it includes other information such as the PACs expiration time.
An EAP-FAST end-user client stores PACs for each user accessing the network with the client.
Additionally, a AAA server that supports EAP-FAST has a unique Authority ID. An end-user clien t
associates a user’s PACs with the Authority ID of the AAA server that generated them. PACs remove the
need for PKI (digital certificates).
During EAP-FAST phase one, the end-user client presents the PAC that it has for the current user and
Authority ID that ACS sends at the beginning of the EAP-FAST transaction. The means of providing
PACs to end-user clients, known as PAC provisioning, are discussed in Automatic In-Band PAC
Provisioning, pageB-24 and Manual PAC Provisioning, page B-25.
Modifying the master key generation values does not affect already created PACs. Any modifications
you make to the master key generation values specify the period when the next master keys are
generated.